You are right, the wording of that advisory is dreadful. You could even send it to the English Usage stack exchange for them to cackle at it. The advisory should have said 'Mandatory Support' and 'Recommended Order of Negotiation'.
–
LateralFractalOct 19 '13 at 1:33

Thanks for the reply, LateralFractal. I thought so too. But what confuses me is that there were 5 ciphers under "must-have cipher" and 2 under "preferred ciphers" in the advisory. If recommended nego. order ("preferred ciphers") just reflects the order of mandatory support ciphers ("must have ciphers") during client server nego., then there should be the same number of ciphers listed under both "must have ciphers" and "preferred ciphers", but that wasn't the advisory.
–
JohnOct 20 '13 at 4:42

1 Answer
1

BEAST attack basically works on CBC mode block ciphers like AES and 3DES in this case. RC4 is a stream cipher, so it is immune to the BEAST and similar attacks, but you should know that RC4 starts to be considered broken and modern browser mitigate BEAST and similar attacks:

I agree that the wording of the advice is confusing, but your conclusions are basically correct:

Yes, if you don't want to prefer block ciphers but still want to support them this configuration is acceptable, since it prefers stream ciphers over block ciphers and places the stronger suites in higher positions.

The configuration seems correct. You can verify your cipher-spec string with the following command: